Sometimes, changes introduced in a new release have side-effects
we cannot reasonably avoid, or they expose
bugs somewhere else. This section documents issues we are aware of. Please also
read the errata, the relevant packages' documentation, bug reports, and other
information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for stretch

This section covers items related to the upgrade from
jessie to stretch.

5.1.1. Late mounting of /usr is no longer supported

Note

This section only applies to systems using a custom kernel,
where /usr is on a separate mount point
from /. If you use the kernel packages
provided by Debian, you are unaffected by this issue.

Mounting of /usr using only tools found in
/ is no longer supported. This has only worked
for a few specific configurations in the past, and now they are
explicitly unsupported.

This means that for stretch all systems where /usr
is a separate partition need to use an initramfs generator that will mount
/usr. All initramfs generators in stretch do so.

5.1.2. FTP access to Debian hosted mirrors will be removed

Debian hosted mirrors will stop providing FTP access. If you
have been using the ftp: protocol in your sources.list, please
migrate to http:. Please consider the following example for
migrating:

The password managers fpm2
and kedpm
are no longer maintained upstream. Please use another password
manager like pass,
keepassx, or
keepass2. Make sure that you
extract your passwords from fpm2 and kedpm before removing the packages.

The nagios3
monitoring tools have been removed from stretch. The
icinga package is
the closest replacement. It reads its configuration files
from a different path than nagios did, but is otherwise
compatible.

5.1.4. Things to do post upgrade before rebooting

When apt-get dist-upgrade has finished, the
“formal” upgrade is complete. For the upgrade to
stretch, there are no special actions needed before
performing a reboot.

5.1.5. Executables are now compiled as position independent executables (PIE) by default

By default, the GNU GCC 6 compiler provided by Debian stretch
will compile all executables as position independent. This provides
a mitigation for an entire class of vulnerabilities.

Unfortunately, the Linux kernel provided in Debian 8 (up to 8.7)
has an issue that can cause some programs compiled as position
independent executables to crash with a non-descriptive issue
like segmentation fault. This issue is
solved in the Linux version provided in 8.8 (version 3.16.43 or
later) and in the kernel provided in Debian 9 (version 4.9 or
later).

We recommend that you upgrade your kernel to a fixed version and
then reboot before starting the upgrade to stretch. If you are
running the kernel Debian 8.8 or newer, you are not affected by
this issue.

If you are running an affected version of
the kernel during the upgrade, we highly recommend that you
perform a reboot into the stretch kernel right after the
upgrade to avoid hitting this.

5.1.5.1. Behavior changes of PIE for system administrators and developers

Note

This section is mainly intended for developers or system
administrators. Desktop users are unlikely to be affected
by this section.

The above also leads to some changes that are worth being aware
of.

The file tool (among others) will
classify such binaries as “shared object” rather than
an “executable”. If you have filters based on binary
files, these may need to be updated (e.g. spamfilters).

Static libraries being compiled into an executable now
also need to be compiled as position independent code.
The following error message from the linker is a symptom
of this:

relocation ... against '[SYMBOL]' can not be used when making a shared object; recompile with -fPIC

Note that even though the error message says -fPIC, it is
sufficient to recompile with -fPIE (which is the default
in the GCC 6 packages that are part of stretch).

Historically, position independent executables have been
associated with performance loss on some hardware.
Notably the Debian architecture i386 (32-bit Intel
machines). While GCC 5 and GCC 6 have greatly improved
performance for position independent executables on 32-bit
Intel, this optimization may not be applicable to
all architectures. Please consider evaluating the
performance of your code if you are targeting machine
architectures with a very limited number of registers.

5.1.6. Most LSB compatibility packages have been removed

Due to lack of interest and testability, Debian has
removed the vast majority of the Linux Standard Base (LSB)
compatibility packages.

5.1.7. Minimum requirement for 32-bit Intel is now i686 (with a minor exception)

The 32-bit PC support (known as the Debian architecture
i386) now no longer covers a plain i586 processor. The
new baseline is the i686, although some i586 processors
(e.g. the “AMD Geode”) will remain supported.

The supported i586 processors have all the features of an i686
processor except the “long NOP” (NOPL)
instruction. The following shell script may be a useful
indicator (assuming only one processor is installed in the
machine):

if grep -q '^flags.*\bfpu\b.*\btsc\b.*\bcx8\b.*\bcmov\b' /proc/cpuinfo; then
echo "OK (assuming all CPUs are of the same type)"
else
echo "NOT OK: Missing one or more of the required CPU extensions"
fi

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide
minimal backports for security issues. These are covered in the
following subsections.

Note that the package debian-security-support helps to track
the security support status of installed packages.

5.2.1. Security status of web browsers

Debian 9 includes several browser engines which are
affected by a steady stream of security vulnerabilities. The
high rate of vulnerabilities and partial lack of upstream
support in the form of long term branches make it very difficult
to support these browsers with backported security fixes.
Additionally, library interdependencies make it impossible to
update to newer upstream releases. Therefore, browsers built
upon the webkit, qtwebkit and khtml engines are included in
stretch, but not covered by security support. These
browsers should not be used against untrusted websites.

For general web browser use we recommend Firefox or Chromium.

Chromium - while built upon the Webkit codebase - is a leaf
package, which will be kept up-to-date by rebuilding the current
Chromium releases for stable. Firefox and Thunderbird will also
be kept up-to-date by rebuilding the current ESR releases for
stable.

5.2.2. Lack of security support for the ecosystem around libv8 and
Node.js

The Node.js platform is built on top of libv8-3.14, which experiences a high
volume of security issues, but there are currently no volunteers
within the project or the security team sufficiently interested
and willing to spend the large amount of time required to stem
those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs, and the associated node-*
package ecosystem should not currently be used with untrusted
content, such as unsanitized data from the Internet.

In addition, these packages will not receive any security
updates during the lifetime of the stretch release.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between
jessie and stretch. There are a small number of
cases where some intervention may be required, either before or
during the upgrade; these are detailed below on a per-package
basis.

5.3.1. Older ciphers and SSH1 protocol disabled in OpenSSH by default

The OpenSSH 7 release has disabled some older ciphers and the SSH1
protocol by default. Please be careful when upgrading machines
where you only have SSH access.

Moreover, the default of the "UseDNS" configuration option has changed
from yes to no. This may cause users who use the "from=" functionality
in authorized_keys to limit ssh access by host to be locked out, which
is especially troublesome if upgrading remotely.

5.3.2. Possible backwards incompatible changes to APT

This section covers some of the incompatible changes to APT that
may affect your system.

5.3.2.1. APT now fetches files as an unprivileged user
(_apt)

APT will now attempt to discard all root privileges before
fetching files from mirrors. APT can detect some common cases
where this will fail and fall back to fetching things as root
with a warning. However, it may fail to detect some exotic
setups (e.g. UID-specific firewall rules).

If you experience issues with this feature, please change to
the _apt user and check that it:

has read access to files in
/var/lib/apt/lists and
/var/cache/apt/archives.

has read access to the APT trust store
(/etc/apt/trusted.gpg and
/etc/apt/trusted.gpg.d/)

5.3.2.2. New APT pinning engine

APT 1.1 introduced a new pinning engine that now matches the
description in the manual page.

The old engine assigned one pin priority per package;
the new one assigns pin priorities per version. It then picks
the version with the highest pin that is not a downgrade or that has
a pin > 1000.

This changes the effect of some pins, especially negative ones.
Previously, pinning a version to -1 effectively prevented the
package from being installed (the package pin was -1);
it now only prevents the version of this package from being
installed.

5.3.2.3. New requirements for APT repository

Note

This section only applies if you have (or intend to use)
third-party repositories enabled or if you maintain an APT
repository.

To improve download stability and ensure security of the
downloaded content, APT now requires the following from an
APT repository:

The InRelease file must be available.

All metadata must include at least SHA256 checksums of all
items. This includes the GPG signature of the InRelease
file.

Signatures on the InRelease file should be done with a key
size of 2048 bits or larger.

If you rely on a third-party repository that cannot comply
with the above, please urge them to upgrade their repository.
More information about the InRelease file can be found on the
Debian
Wiki.

5.3.3. Desktops will migrate to libinput Xorg driver

Note

This section is only relevant if you have tweaked or need to
change the default Xorg input configuration.

In jessie, the default input driver for Xorg is the
evdev driver. In stretch, the default has
changed to libinput. If you have Xorg
configuration that relies on the evdev
driver, you will either have to convert it to the
libinput driver or reconfigure your system to
use the evdev driver.

The following is an example configuration for libinput
to enable the “Emulate3Buttons” feature.

Insert it into
/etc/X11/xorg.conf.d/41-middle-emulation.conf,
reboot (or restart your Xserver) and it should now be enabled.

The evdev driver is still available in the
xserver-xorg-input-evdev
package.

5.3.4. Upstart removed

Due to the lack of upstream maintainers,
the Upstart init system has been removed from stretch.
If your system relies on this package, you should note that it will not be updated
during the lifetime of Debian 9, and starting from Debian 10 (buster),
Upstart jobs may be removed from packages.

Please consider switching to a supported init system, like systemd or OpenRC.

5.3.5. The debhelper tool now generates dbgsym packages by default

Note

This section is mainly intended for developers or organizations
that build their own debian packages.

The debhelper tool suite will now generate dbgsym packages by
default for ELF binaries. If you develop and package binaries,
please check that your tooling supports these extra
auto-generated packages.

If you use reprepro, you
want to upgrade it to at least version 4.17.0. For aptly, you
will need at least version 1.0.0, which is unfortunately not
available in Debian stretch.

Should your tooling be unable to cope with these gracefully, you
can ask debhelper to disable this feature by adding
“noautodbgsym” in the DEB_BUILD_OPTIONS variable of your build
service. Please see the
dh_strip manpage for more information.

5.3.6. OpenSSL related changes

The openssl application expects option arguments before
non-option arguments. For example, this does not work anymore:

openssl dsaparam 2048 -out file

while this still does:

openssl dsaparam -out file 2048

The openssl enc command changed the default digest
(used to create the key from passphrase) from MD5 to SHA256. The digest can
be specified with the -md option in case old files need
to be decrypted with newer OpenSSL (or the other way around).

The 3DES and RC4 ciphers are no longer available for TLS/SSL communication.
Servers linked against OpenSSL can't offer them and clients can't connect
to servers which offer only those. This means that OpenSSL and Windows XP
share no common cipher.

The package libssl-dev provides
header files to compile against OpenSSL 1.1.0. The API changed a lot and
it is possible that the software won't compile anymore. There is an
overview of
the changes. If you can't update your software, there is also
libssl1.0-dev which provides headers
against OpenSSL 1.0.2.

5.3.7. Perl changes that may break third-party software

Some modules have been removed from Perl core and are now shipped
in separate packages. Notable examples are CGI,
available in the libcgi-pm-perl package, and
Module::Build, available in the libmodule-build-perl package.

The current working directory (.) has been removed
from the default list of include directories,
@INC. This may affect usage of
require(), do(), etc., where the
arguments are files in the current directory.

All perl programs and module shipped by Debian should have been
fixed to address any incompatibilities caused by the above; please
file bugs if this is not the case. As the change has now been made
in perl 5.26.0, third-party software should also start to be fixed.
Information about how to fix this issue for developers is provided
in the
perl 5.26 release notes
(see the SECURITY section).

If needed you can temporarily reinstate . in
@INC globally by commenting out the line in
/etc/perl/sitecustomize.pl but you should
only do this with a understanding of the potential risks. This
workaround will be removed in Debian 10. You can
also set the PERL_USE_UNSAFE_INC environment
variable in a specific context which will have the same effect.

5.3.8. PostgreSQL PL/Perl incompatibility

The PostgreSQL PL/Perl procedural language package in jessie is
incompatible with the Perl version in stretch. The
postgresql-plperl-9.4 package
will be removed during the update, rendering server-side Perl procedures
dysfunctional. Upgrading to PostgreSQL 9.6 should be unaffected; the
procedures will work in the new PostgreSQL cluster if the
postgresql-plperl-9.6 package
is installed. If unsure, take a backup of your PostgreSQL 9.4 clusters
before upgrading to stretch.

5.3.9. net-tools will be
deprecated in favor of iproute2

The net-tools package
is no longer part of new installations by default,
since its priority has been lowered from important to optional.
Users are instead advised to use the modern
iproute2 toolset
(which has been part of new installs for several releases already).
If you still prefer to continue using the
net-tools
programs you can simply install it via

apt install net-tools

Warning

Please keep in mind that net-tools may be uninstalled
during the upgrade if it was only installed to satisfy a
dependency. If you rely on net-tools, please remember to mark
it as a manual installed package before the upgrade via:

apt-mark manual net-tools

Here is a summary of the net-tools commands, together with
their iproute2 equivalent:

5.3.10. The _netdev mount option is recommended when using AoE (ATA over ethernet) devices

Note

This only applies to systems that have ATA over ethernet (AoE)
devices mounted. If the system does not mount any network
shares, you can safely skip this section.

Due to a cleanup in the handling of network deconfiguration, AoE
devices in use are no longer handled as expected during
shutdown, possibly resulting in hangs and/or data loss. To
mitigate that situation, it is suggested to mount such devices
using the _netdev mount option. That option
is available when using swap over AoE as well.

Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/^(.*?)(\\)?\${ <-- HERE ([^{}]+)}(.*)$/ at /usr/share/perl5/Debconf/Question.pm line 72.
Unescaped left brace in regex is deprecated, passed through in regex; marked by <-- HERE in m/\${ <-- HERE ([^}]+)}/ at /usr/share/perl5/Debconf/Config.pm line 30.

These are harmless and happens if perl-base is upgraded before the
debconf package.

5.3.12. SELinux policy store migration

Note

This section only applies to system that is using SELinux, which
is not enabled by default.

In stretch, the SELinux policy store have moved from
/etc/selinux/<policy_name>
to
/var/lib/selinux/<policy_name>.
Furthermore, the format used inside the store has changed.

The policies provided by Debian (from e.g. the selinux-policy-default package) will
be migrated automatically. However, system specific policies
need to be migrated manually.

The semanage-utils
package provides the script
/usr/lib/selinux/semanage_migrate_store to
do this transition.

5.3.13. iSCSI Enterprise Target no longer supported

The iSCSI Enterprise Target (IET), packaged in the iscsitarget package in previous releases,
is no longer in Debian, as it will not work with recent kernel
versions, and the project has seen no development activity in recent
years.

Users of IET are encouraged to switch to the LIO stack, which is
fully supported in Debian stretch. The package targetcli-fb provides the configuration
utility for the LIO iSCSI target.

As the LIO stack was developed independently of the IET, the
configuration has to be migrated manually.